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Abstract  This  paper  (a)  describes  a  defender-attacker-defender  sequential  game  model  (DAD) 
to  plan  defenses  for  an  infrastructure  system  that  will  enhance  that  system’s  resilience 
against  attacks  by  an  intelligent  adversary,  (b)  describes  a  realistic  formulation  of 
DAD  for  defending  a  transportation  network,  (c)  develops  a  decomposition  algorithm 
for  solving  this  instance  of  DAD  and  others,  and  (d)  demonstrates  the  solution  of 
a  small  transportation-network  example.  A  DAD  model  generally  evaluates  system 
operation  through  the  solution  of  an  optimization  model,  and  the  decomposition  algo¬ 
rithm  developed  here  requires  only  that  this  system-operation  model  be  continuous 
and  convex.  For  example,  our  transportation-network  example  incorporates  a  conges¬ 
tion  model  with  a  (convex)  nonlinear  objective  function  and  linear  constraints. 


Keywords  infrastructure  defense;  infrastructure  protection;  homeland  defense;  intelligent  adver¬ 
sary;  game  theory;  optimization;  defender-attacker-defender  model;  trilevel  game; 
Stackelberg  game;  probabilistic  risk  analysis;  traffic  equilibrium 


1.  Introduction 

Because  of  recent  terrorist  attacks  that  have  destroyed  public  and  private  infrastructure 
(e.g.,  the  World  Trade  Center  attacks  in  New  York  in  2001,  the  train  bombings  in  Madrid  in 
2004,  the  public-transport  bombings  in  London  in  2005),  and  because  of  continuing  threats, 
the  United  States  and  other  countries  have  directed  substantial  efforts  toward  (a)  assess¬ 
ing  threats  to  critical  infrastructure  from  attacks  by  an  intelligent  adversary,  (b)  develop¬ 
ing  defenses  that  help  prevent  attacks,  and  (c)  developing  defenses  that  enhance  system 
resilience,  that  is,  defenses  that  mitigate  the  damage  caused  by  successful  attacks.  This 
paper  concerns  itself  with  items  (a)  and  (c). 

As  defined  by  the  U.S.  Government  [71],  critical  infrastructure  consists  of  “systems  and 
assets,  whether  physical  or  virtual,  so  vital  to  the  United  States  that  the  incapacity  or 
destruction  of  such  systems  and  assets  would  have  a  debilitating  impact  on  security,  the 
national  economy,  national  public  health  or  safety,  or  any  combination  of  those  matters.” 
The  U.S.  National  Strategy  for  Homeland  Security  states  the  infrastructure  mission  unam¬ 
biguously:  “We  must  now  focus  on  the  resilience  of  the  system  as  a  whole — an  approach  that 
centers  on  investments  that  make  the  system  better  able  to  absorb  the  impact  of  an  event 
without  losing  the  capacity  to  function”  (Homeland  Security  Council  [43,  p.  28]).  Using  lim¬ 
ited  investment  resources  to  support  this  mission  challenges  infrastructure  decision-makers 
at  all  levels  of  government,  industry,  and  the  military.  This  paper  shows  how  to  model  and 
solve  such  investment  problems. 

One  technique  advocated  for  analyzing  infrastructure  defenses  against  a  deliberate  adver¬ 
sary  builds  on  a  long  tradition  of  risk  assessment  for  nondeliberate  threats  such  as  natural 
disasters,  technological  failures,  and  accidents:  “probabilistic  risk  assessment”  (“PR.A,”  also 
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called  “probabilistic  risk  analysis”)  is  a  conglomeration  of  techniques  that  many  organiza¬ 
tions,  including  the  U.S.  Department  of  Homeland  Security  (DHS),  are  using  in  an  attempt 
to  improve  the  resilience  of  infrastructure  to  attack.  (See  Garrick  et  al.  [36],  Parnell  et  al. 
[58] ,  Ezell  et  al.  [30]  for  general  discussions  of  PRA;  see  DHS  [29]  regarding  PRA’s  applica¬ 
tion  at  DHS.)  In  the  simplest  case,  risk  assessment  amounts  to  scoring  the  risk  associated 
with  individual  attack  scenarios  by  defining  Risk  =  Threat  x  Vulnerability  x  Consequence ; 
more  complicated  cases  apply  more  complicated  functions  that  are  represented  generically 
as  Risk  =  f  (Threat,  Vulnerability ,  Consequence) .  Roughly  speaking,  Threat  is  the  probabil¬ 
ity  of  a  particular  attack,  Vulnerability  is  the  probability  that  such  an  attack  would  be 
successful,  and  Consequence  measures  the  damage  incurred  by  a  successful  attack,  in  terms 
of  lives  lost,  economic  damage,  etc.  Subject-matter  experts  must  be  involved  in  assessing  all 
of  these  quantities  (see  Willis  [76],  ASME  [5]).  Once  evaluated,  risk  scores  become  the  basis 
for  prioritized  investment  that  aims  to  reduce  those  scores  (Pate-Cornell  and  Guikema  [59], 
Bier  [8],  Willis  [76],  Bier  et  al.  [9]). 

PRA  models  require  that  event  probabilities  be  defined  as  static  inputs.  For  a  “terrorism 
risk  analysis”  of  some  infrastructure  system,  for  instance,  one  input  might  be  the  probability 
that  component  X  of  a  system  will  be  attacked,  and  another  might  be  the  conditional 
probability  that  component  X  will  be  damaged  to  a  specified  degree  if  it  is  attacked.  (Results 
of  attacks  are  stated  in  terms  of  expected  consequences,  e.g.,  expected  economic  losses.) 

Growing  evidence  indicates,  however,  what  game  theorists  know  intuitively:  static  proba¬ 
bilities  are  inappropriate  for  modeling  the  behavior  of  an  intelligent  adversary  (Cox  [25,  26], 
Golany  et  al.  [39],  Brown  and  Cox  [11,  12]).  Indeed,  two  National  Research  Council  studies 
harshly  criticize  DHS’s  use  of  PRA,  especially  in  the  context  of  terrorism  (NRC  [56,  57]). 
Further,  even  if  PRA  could  measure  Risk  correctly  through  static  inputs,  PRA  offers  no 
general,  computationally  viable  method  for  allocating  limited  resources  to  minimize  risk.  In 
particular,  the  standard  method  of  “spending  down  the  prioritized  list”  until  a  budget  limit 
is  reached  is  unlikely  to  be  optimal.  The  only  way  to  overcome  the  difficulty  of  minimizing 
risk  within  the  PRA  framework  would  be  to  develop  an  efficient  method  to  compute,  at  least 
implicitly,  the  risk  to  each  possible  set  of  vulnerable  components.  But  no  such  method 
currently  exists.  In  several  ways,  then,  PRA  is  the  wrong  tool  for  planning  infrastructure 
defenses  against  an  intelligent  adversary. 

Game  theory,  in  contrast  to  PRA,  models  the  actions  of  interacting  “players”  and  therefore 
offers  a  more  appropriate  framework  for  modeling  (a)  a  society  that  wants  to  protect  its 
infrastructure  from  attack  by  building  defenses,  (b)  an  adversary  who  is  likely  to  see  those 
defenses  and  to  attack  in  a  maximally  harmful  way,  and  (c)  a  society  that  will  observe  the 
results  of  any  attacks  and  operate  to  the  best  of  its  reduced  ability.  We  propose  such  a  model 
here,  with  the  goal  of  maximizing  resilience  of  infrastructure,  i.e.,  minimizing  disruption, 
against  worst-case  attacks.  Disruption  is  evaluated  quantitatively. 

The  rest  of  this  paper  is  outlined  as  follows.  Section  2  describes  the  paradigm  of  a  sequen¬ 
tial  (Stackelberg)  game  for  planning  infrastructure  defense,  namely,  a  “defender-attacker- 
defender  model”  (DAD):  we  survey  the  literature  here,  also.  Apparently,  the  literature 
reports  computational  results  for  only  one  instance  of  DAD  for  a  realistically  modeled 
infrastructure  system,  namely,  an  electric  power  transmission  grid  (Salmeron  et  al.  [65]). 
That  paper  does  not  fully  explain  its  solution  methods,  however.  Therefore,  §3  describes  a 
realistic  DAD  model  for  planning  defense  of  municipal  road  infrastructure,  and  §4  devel¬ 
ops  a  simple,  general  algorithm  for  solving  it.  Section  5  presents  computational  results  and 
analysis  of  a  small  example;  that  section,  together  with  the  appendix,  specifies  all  problem 
data.  To  the  best  of  our  knowledge,  this  work  describes  the  first  use  of  a  nonlinear  system- 
operation  model  within  the  DAD  framework.  Section  6  presents  conclusions  and  suggests 
directions  for  future  work. 
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2.  The  DAD  Model 

A  number  of  researchers  have  proposed  the  use  of  optimization-based  models  to  represent  a 
“defender’s”  and  an  “attacker’s”  sequential  decisions  for  the  purpose  of  defending  infrastruc¬ 
ture  (Brown  et  al.  [16];  Morton  et  al.  [55];  Scaparra  and  Church  [66];  Salmeron  et  al.  [65,  ?]). 
Brown  et  al.  [16]  formulate  a  model  of  defense,  attack,  and  operation  of  an  infrastructure  sys¬ 
tem  using  a  three-stage,  sequential  game,  called  a  defender-attacker-defender  model  (DAD). 
This  model,  which  is  a  type  of  Stackelberg  game  (see  von  Stackelberg  [73]),  commonly  takes 
this  form: 


DAD:  min  max  min  /( y). 

w  GW  xGA'(w)  y£Y(  w,x) 

In  the  first  stage  of  this  model,  the  “defender”  chooses  infrastructure  investments  w  £  W; 
in  the  second  stage,  the  “attacker”  sees  those  investments  and  attacks  using  attack  plan 
x  G  X  (w) ;  in  the  third  stage,  the  defender,  as  “operator”  of  the  system,  sees  attacks  x  and 
infrastructure  investments  w,  and  operates  the  system  by  choosing  activities  y  £  T(w,x) 
that  minimize  operating  cost  measured  through  /( y).  More  details  follow. 

2.1.  The  Operator  D 

The  innermost  minimization  of  /( y)  represents  the  actions  of  the  defender- as- operator,  or 
simply  operator,  who  chooses  a  set  of  activities  y  G  Y (w,  x)  to  minimize  the  cost  of  operating 
the  system.  (The  defender  and  operator  may  not  be  the  same  entity,  but  they  share  the  same 
goals.)  The  notation  T(w,x)  indicates  that  activities  may  be  affected  by  both  defensive 
investments  w  and  attacks  x. 

Cost  for  the  operator  should  be  construed  broadly,  and  can  cover  dollar  cost,  lives  lost, 
delay  of  travelers,  and  so  on.  Of  course,  “negative  output”  or  “negative  throughput”  can  be 
used  here  if  the  operator’s  goal  is  actually  to  maximize  output,  throughput  or  some  similar 
measure.  The  model  can  also  be  generalized,  typically  for  solution  purposes,  to  include  an 
objective  function  of  the  form  /( w,x,y).  More  important  is  the  fact  that  the  system  need 
not  have  an  actual  operator.  For  instance,  as  demonstrated  in  this  paper,  D  can  represent  the 
solution  of  an  equilibrium  model  of  a  cost-  or  delay-minimizing  population  of  travelers.  The 
keys  here  are  that  (a)  a  validated  model  represents  optimal  system  operation,  and  (b)  the 
model  can  be  manipulated  easily  to  reflect  parameters  and/or  constraints  that  change  as 
a  function  of  attacks  that  damage  or  destroy  components,  and  as  a  function  of  defensive 
actions  that  protect  existing  system  components,  add  capacity  to  such  components,  or  even 
construct  new  ones. 

Numerous  authors  propose  the  use  of  abstract,  surrogate  models  for  system  operation 
(or  for  evaluating  the  effects  of  attacks),  and  never  validate  their  models’  predictions 
using  “prevalidated,”  industry-standard  models.  For  instance,  Albert  et  al.  [2],  Chassin  and 
Posse  [18],  Lewis  [49,  pp.  263-284],  and  Wang  and  Rong  [74]  make  claims  about  the  vulner¬ 
ability  of  an  electric  power  grid  to  attack  using  surrogate  models  that  essentially  ignore  the 
physics  of  alternating  current.  Also,  a  number  of  authors  make  claims  about  the  resilience 
of  the  Internet  to  attack  or  random  disruptions  (e.g.,  Albert  et  al.  [3],  Cohen  et  al.  [21]),  but 
none  attempt  to  validate  their  work  using  an  industry-standard  network-simulation  pack¬ 
age  (e.g.,  Lucio  et  al.  [51]),  or  attempt  to  validate  with  experiments  on  real  networks  (e.g., 
Zaragoza  and  Belo  [81]).  These  surrogate  models  might  be  useful,  but  we  do  not  know. 

For  real  infrastructure  systems,  operator  models  often  exist  that  represent  “best  prac¬ 
tices”  within  a  particular  engineering  or  industrial  domain.  When  available,  these  models 
ought  to  be  adapted  and  used.  For  example,  when  considering  the  value  of  components  in 
electric  power  infrastructure,  one  ought  to  use  an  industry-standard  model  of  power  flow 
and  supply  (Salmeron  et  al.  [64,  65]);  when  considering  components  of  a  water-distribution 
system,  one  ought  to  use  a  standard  hydraulic  model  (Collins  et  al.  [22];  Bhave  and  Gupta 
[7,  pp.  115-151]);  and  when  considering  the  value  of  components  of  road  network,  one 
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ought  to  use  standard  traffic- flow  model  (Beckmann  [6],  Gazis  [37,  pp.  185-236],  Boyce  and 
Bar-Gera  [10]).  If  such  an  approach  is  used,  then  validation  is  essentially  automatic,  since 
the  relevant  industry  has  already  performed  the  required  validation.  (Models  involving  mul¬ 
tiple  infrastructures  or  simulation  certainly  warrant  investigation,  but  exceed  the  scope  of 
this  paper.) 

2.2.  The  Attacker  A 

The  maximization  in  DAD  represents  the  actions  of  an  attacker  who  observes  defensive 
preparations  and  then  chooses  an  attack  plan  x,  for  example,  xz  =  1  if  component  l  of  the 
system  is  attacked,  and  X(  =  0,  otherwise.  Defenses  will  influence  attacks  and/or  their  effects; 
hence  x  £  A(w).  The  attacker  seeks  to  maximize  damage  to  the  operator  by  maximizing 
the  operator’s  cost  of  operating  the  system. 

We  denote  the  model  that  results  from  fixing  w  in  DAD  as  AD(w),  or  generically  as  AD: 
this  is  an  attacker- defender  model.  Danskin  [28]  describes  min-max  models  that  resemble 
AD  except  that  he  uses  only  continuous  variables;  Moore  and  Bard  [54]  describe  a  more 
general  framework  that  does  allow  for  integer  variables  and  which  includes  AD  as  a  special 
case.  Unlike  AD,  Moore  and  Bard’s  model  does  not  require  that  each  player’s  objective  be 
diametrically  opposed.  This  generalization  does  not  seem  useful  in  our  context,  however, 
as  its  use  would  force  us  to  infer  the  attacker’s  “true”  objective,  probably  through  the 
impossible-to-validate  beliefs  of  subject-matter  experts. 

There  is  a  long  history  in  the  development  of  interdiction  models  to  assess  the  vulnerability 
of  a  system,  typically  a  network,  to  attack.  As  documented  by  Schrijver  [67],  the  famous 
max-flow/min-cut  theorem  has  its  origins  in  a  1955  study  of  how  to  interdict  the  Russian 
railroad  network  that,  in  the  event  of  a  war  with  the  West,  would  have  carried  materiel 
from  various  staging  points  into  eastern  Europe  (Harris  and  Ross  [42]).  That  model  may 
be  viewed  as  a  specialized  instance  of  AD  with  a  binary  model  of  system  operation:  the 
system  enables  positive  flow,  or  it  does  not.  The  models  described  below  are  more  general, 
and  each  may  be  viewed  as  a  full-fledged  instance  of  AD. 

Fulkerson  and  Harding  [34],  Golden  [40],  and  Israeli  and  Wood  [45]  formulate  and  solve 
network-interdiction  problems  that  maximize  the  shortest-path  length  between  two  desig¬ 
nated  nodes  in  the  subject  network.  The  first  two  papers  model  continuous  reductions  in 
capacity  with  “interdiction  effort,”  while  the  last  models  binary  interdictions.  Wood  [78] 
minimizes  the  maximum  flow  in  a  capacitated  network  through  interdiction  (see  also 
Wollmer  [77],  Ratliff  et  al.  [62],  Phillips  [61]);  Cormican  et  al.  [23]  model  and  solve  a 
stochastic  version  of  Wood’s  problem  that  minimizes  the  expected  maximum  flow  through 
a  capacitated  network  given  uncertain  arc  capacities  and/or  uncertain  attack  successes. 
Lim  and  Smith  [50]  present  and  solve  a  multicommodity-flow  network-interdiction  problem. 
Smith  [68]  and  Wood  [79]  present  overviews  of  interdiction  models.  Although  Cormican  et  al. 
do  not  use  the  following  terminology,  they  show  how  a  model  formulated  with  “capacity 
interdiction”  can  be  reformulated  usefully  as  a  model  with  “cost  interdiction,”  that  is,  as 
a  model  in  which  interdiction  increases  the  cost  of  an  activity.  This  reformulation  is  often 
important  for  efficient  solution  of  AD. 

Early  work  on  network-interdiction  models  of  the  form  AD  was  not  construed  as  iden¬ 
tifying  vulnerabilities  in  critical  infrastructure.  Much  new  work  on  AD  models  has  that 
explicit  purpose,  however;  for  example,  see  Salmeron  et  al.  [64]  and  Brown  et  al.  [15,  14]. 
Such  AD  models  have  also  served  as  the  basis  for  over  150  “red-team  exercises”  performed 
by  students  at  the  Naval  Postgraduate  School.  Brown  et  al.  [16]  document  some  insights  on 
the  vulnerability  of  infrastructure  from  those  exercises. 

2.3.  The  Defender  D 

The  outermost  minimization  in  DAD,  i.e. ,  “D,”  represents  the  actions  of  a  defender  who 
takes  the  first  step  in  this  game  model  by  choosing  a  defensive  investment  plan,  or  simply 
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defense  plan,  w  £  W.  This  plan  may  include  mounting  active  defenses,  hardening  infras¬ 
tructure  against  attack,  building  new  infrastructure  that  is  less  vulnerable  to  attack,  or 
adding  redundancy.  The  constraints  reflected  by  W  normally  include  one  or  more  impor¬ 
tant  resource  constraints,  so  by  controlling  w  €  W,  the  defender  seeks  to  allocate  limited 
resources  that  make  his  infrastructure  system  as  resilient  as  possible  to  attack. 

When  defense  plans  correspond  to  resource-constrained  component  hardening,  the  solu¬ 
tion  to  DAD  identifies  which  system  components  should  be  protected  to  minimize  the 
worst-case  disruption  to  operation.  In  the  context  of  facility  location,  Church  et  al.  [20] 
introduce  the  r-interdiction  median  problem,  a  variation  of  the  classical  p-median  loca¬ 
tion  problem  in  which  individual  facilities  are  unprotected  and  subject  to  attack:  such  a 
model  might  help  to  identify  the  most  important  facilities  in  a  supply  system.  Church  and 
Scaparra  [19]  and  Scaparra  and  Church  [66]  extend  this  work  to  allocate  defensive  (“forti¬ 
fication”)  resources  in  order  to  minimize  the  impact  of  interdiction.  The  p-median  problem 
is,  however,  only  a  surrogate  for  the  operation  of  a  real  distribution  system.  One  would 
hope  that  real  investment  in  the  protection  of  warehouses  or  other  parts  of  a  supply  chain 
would  follow  from  a  realistic,  validated  model  of  supply,  production  and  distribution  (e.g., 
Geoffrion  and  Graves  [38],  Arntzen  et  al.  [4],  Brown  et  al.  [17]). 

Brown  et  al.  [16]  pose,  but  do  not  solve,  instances  of  DAD  in  the  context  of  several 
infrastructure-defense  problems.  Salmeron  et  al.  [65]  develop  a  “global  Benders  decompo¬ 
sition  algorithm”  to  solve  such  models,  and  apply  that  algorithm  to  identifying  optimal 
defensive  investments  in  electric  power  systems.  They  solve  some  large,  realistic  problems, 
but  their  description  lacks  details  and  does  not  cover  new  construction  or  capacity  expansion 
as  our  paper  does. 

When  defense  plans  w  £  W  correspond  to  capacity  expansion  or  the  construction  of 
new  infrastructure,  DAD  represents  a  special  type  of  system-design  problem.  An  extensive 
literature  exists  on  the  design  of  “survivable  networks,”  where  the  objective  is  often  posed 
as  a  generalization  of  the  fc-node  or  fc-edge  connected  network  problem;  see  Kerivin  and 
Mahjoub  [46]  and  Grotschel  et  al.  [41]  for  surveys.  Much  of  this  literature  uses  abstract 
models  as  surrogates  for  real  system  operation,  for  example,  requiring  at  least  two  node- 
disjoint  (or  edge-disjoint)  paths  between  all  node  pairs  in  a  telecommunications  network 
(e.g.,  Fortz  and  Labbe  [33]).  Other  network-design  papers  in  telecommunications  use  simple, 
flow-based  operator  models  (e.g.,  Mateus  and  Patrocinio  [53]);  these  are  close  in  spirit  to 
the  operator  models  we  propose  for  use  in  DAD. 

Smith  et  al.  [69]  formulate  and  solve  a  DAD-type  model  for  designing  a  multicommodity 
flow  network  that  is  robust  to  optimal  attacks.  (They  also  consider  models  with  heuristically 
planned  attacks.)  Their  network-design  constructs  resemble  ours,  and  could  represent  hard¬ 
ening  of  existing  construction  as  well  as  new  construction.  And,  similar  to  our  work,  they 
develop  a  decomposition  algorithm  for  finding  an  optimal  design,  i.e.,  an  optimal  defense 
plan.  Their  algorithm  has  one  key  limitation,  however:  it  depends  heavily  on  (a)  attacks 
being  represented  by  bounded,  continuous  variables  (which  reduce  flow  capacity),  and  on 
(b)  total  attack  effort  being  limited  by  a  single  knapsack  constraint.  Even  with  this  limi¬ 
tation,  generation  of  a  single  constraint  (“cut”)  for  their  algorithm’s  master  problem  may 
require  solution  of  |A|  mixed-integer  subproblems,  where  A  denotes  the  set  of  network  arcs. 
Our  methods  do  not  inherently  restrict  the  types  of  constraints  that  can  be  placed  on  the 
attacker,  except  that  attacks  are  presumed  to  be  binary.  We  also  note  that  our  methods 
work  with  convex,  nonlinear  operator  models  as  well  as  more  standard  linear  programs.  The 
work  by  Smith  et  al.  might  be  difficult  to  extend  to  the  nonlinear  case  because  of  its  explicit 
use  of  dual  extreme  points  from  the  linear  program. 

2.4.  Deliberate  Actions  vs.  Random  Events 

In  the  form  described  in  here,  DAD  models  deliberate  actions,  not  random  events  like 
natural  disasters  or  accidents.  Cormican  et  al.  [23]  and  Morton  et  al.  [55]  extend  deterministic 
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AD  models  to  incorporate  random  events,  however,  and  DAD  will  extend  similarly.  For 
instance,  no  conceptual  barrier  exists  to  modeling  the  random  lifetime  of  an  “emergency 
spare”  that  is  used  to  replace  a  system  component  damaged  by  a  deliberate  attack. 

3.  DAD  for  Defending  a  Municipal  Transportation  Network 

To  illustrate  the  DAD  approach,  this  section  describes  an  application  to  protecting  a  specific 
infrastructure  system.  We  consider  the  challenge  of  officials  in  a  city  government  who  must 
(a)  assess  the  resilience  of  their  city’s  transportation  network  of  roads  and  bridges  to  terrorist 
attacks,  and  (b)  identify  cost-effective  means  to  improve  that  resilience  by  defending  key 
links  or  adding  redundant  infrastructure.  The  key  links  in  the  network  are  bridges  because 
of  the  need  to  connect  several  islands  and,  unlike  road  segments,  bridges  could  take  many 
years  to  replace.  Thus,  only  bridges  are  vulnerable  to  attack  in  this  example. 

The  operator’s  model  in  this  case  is  a  convex,  nonlinear  program  that  evaluates  total 
(or,  equivalently,  average)  travel  time  for  a  population  of  travelers  traversing  a  network. 
The  nonlinear  program  implements  the  Wardrop  traffic-equilibrium  model  (Wardrop  [75], 
Beckmann  [6]),  which  is  employed  commonly  by  traffic  engineers  (e.g.,  Gazis  [37],  Boyce  and 
Bar-Gera  [10]).  Indeed,  commercial  traffic-analysis  software  provides  traffic  engineers  with 
solutions  of  this  equilibrium  model  (Correa  and  Stier-Moses  [24]). 

In  the  example  model  presented  here,  the  cost  of  system  operation  is  measured  in  terms 
of  total  user  travel  time  for  a  single  period  like  “the  morning  commute.”  A  more  detailed 
model  might  integrate  cost  over  time  until  the  system’s  damaged  components  are  repaired 
or  replaced  and  the  system  returns  to  normal.  In  effect  then,  our  example  assumes  that 
(a)  any  component  that  is  attacked  will  be  repaired  in  the  same  amount  of  time,  (b)  any 
period  of  peak  traffic  is  like  any  other,  and  (c)  nonpeak  traffic  is  of  no  interest.  We  present 
a  complete  model  next,  but  warn  the  reader  that  some  explanations  are  left  to  §4  where  an 
algorithmic  framework  simplifies  those  explanations. 

Indices  and  index  sets 

i,j,p  £  N  nodes  in  a  transportation  network  (intersections,  or  city  areas  treated  as  a  single 
locations  in  a  transportation  network);  p  denotes  a  population  origin  for  trips; 
(i,j)  £  E  undirected  edges  (“links”),  i.e.,  bridges  and  road  segments;  i<j  is  assumed; 

Eb  C  E  bridges; 

(i,j)  £  A  directed  arcs  (edges  with  direction  of  travel  included,  which  may  be  viewed  as 
traffic  lanes);  ( i,j )  £  E  <£>  (i,  j)  £  A  A  (j,  i )  £  A;  and 
dc  D  defense  options;  d  £  D,j  C  D  denotes  options  available  for  edge  (i-j)  £  E\  d0  £ 
D-ij  CD  is  a  “no-defense”  option  that  leaves  edge  (■ i,j )  £  E  unchanged  (i.e., 
undefended) . 

Data  [units,  if  applicable } 

bpi  for  p^i,  —bpi  is  the  number  of  travelers  at  p  who  wish  to  travel  to  i  [persons];  bpp  is 
the  total  supply  of  travelers  originating  at  p\ 
c'lj  length  of  arc  (i,j)  £  A  under  defense  option  d  [kilometers]; 

qfj  “equivalent  travel  length”  added  to  arc  (i,j)  £  A  under  defense  option  d  if  the  associ¬ 
ated  edge  is  attacked  [kilometers]  (used  to  penalize  travel  across  attacked  edges); 
afj  linear  term:  empirically  fit  objective- function  coefficient  for  (i,j)  £  A  under  defense 
option  d  [minutes/ (persons  x  kilometers)];  and 
/3(I  quadratic  term:  empirically  fit  objective-function  coefficient  for  (i,j)  £  A  under  defense 
option  d  [minutes/ (persons2  x  kilometers)]. 

Decision  variables  [units,  if  applicable] 

wfj  1  if  (i,j)  £  E  is  defended  using  defense  option  d£  D.y  ,  and  0  otherwise; 

Xij  1  if  (i,j)  £  E  is  attacked,  and  0  otherwise;  and 
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traffic  volume  (over  a  fixed  time  window)  originating  from  node  p  that  traverses  arc 
(i,j)  €  A  under  defense  option  d  [persons]. 

Generic  constraints 

ADEFw  <  bDEF  generic  linear  constraints  on  defense  plans;  and 
AATKx  <  bATK  generic  linear  constraints  on  attack  plans. 

Formulation  “DAD- Transport”: 

z*  =  min  max  min  f(x,y),  where 

t»e  w  xex  yeY(w ) 

/(*,  y)  =  ( 4 + ( a%  H  yU + 0tj  ( zC  via 

(i,j)£E  .  V  pGA  \p€N 

deDij 

+  {c%  +  QjiXij )  (atji  ^2  Vpij  +  Pji  (  5Z  l 

\  p&n  \peN 

W  =  jwe{0,l}|B|  |  ADEFw<bDEF,  J2wfj  =  l  v(*. 

Dij 

I  =  {xe{0,l}|E|  |  AATKx<bATK},  and 

ye<"“"D|  E  ,U~  E  =V 

j  |  (j,i)GA  d 

deDij  deDij  yPi' 

Upij  +  Vpji  A  bppWjj  \/pG  N,  ( i,j )  e  E,  d£  D ^ 

With  one  caveat  discussed  below,  the  objective  function  (1)  in  DAD- Transport  measures 
total  travel  time  for  all  travelers,  given  a  defense  plan,  an  attack  plan,  and  a  set  of  “traveler 
flows”  in  the  network.  Total  time  on  each  arc  increases  quadratically  with  the  volume  of 
traffic  on  that  arc;  §4  provides  more  details. 

The  constraint  set  W  (see  Equation  (3))  will  limit  total  defense  expenditures  to  a  posited 
budget,  represented  as  a  simple  cardinality  constraint. 

The  constraint  set  X  (see  Equation  (4))  will  limit  the  total  number  of  edge  attacks  to  a 
reasonable,  worst-case,  upper  bound. 

The  first  set  of  constraints  in  Y(w)  (see  Equation  (5))  define  standard,  multicommodity 
flow-balance  constraints  that  ensure  that  all  bpp  travelers  originating  at  each  p  €  N  arrive  at 
appropriate  destinations.  The  second  set  of  constraints  in  Y (w)  requires  that  all  travelers 
traversing  an  arc  use  the  “version”  of  that  arc,  d,  that  has  been  prepared  by  the  selected 
defense  option.  That  is,  if  wfj  =  1  for  edge  (i,  j),  then  all  travelers  traversing  arcs  (i,j) 
and  (j,i)  are  governed  by  parameters  determined  by  defense  option  d  for  edge  (i,j)  and 
by  whether  or  not  the  edge  has  been  attacked.  A  caveat  pertains,  however.  If  a  vulnerable 
edge  (i,j)  is  attacked  in  our  examples,  it  is  destroyed.  In  this  case,  the  corresponding  arc 
parameters  are  set  so  that  all  flow  on  (i,j)  and  (j.  i)  is  0,  unless  positive  flows  are  required 
for  feasibility.  Positive  flow  on  “destroyed  arcs”  indicates  that  the  network  is  disconnected 
and  that  total  travel  time  is  effectively  infinite. 

Constraints  on  defense  expenditures  will  be  known,  and  traffic  engineers  should  have  a 
good  model  of  traffic  flow  in  the  region.  Thus,  parts  D  and  D  of  this  model,  i.e.,  W  and  Y (w) 
should  be  well  understood.  “A,”  i.e.,  constraint  set  A,  will  be  modeled  in  generic  terms,  and 
potential  attackers  and  their  capabilities  will  be  studied  using  “capabilities  analysis”  (e.g., 
Cragin  and  Daly  [27,  pp.  39-57],  Steinhausler  et  al.  [70]).  This  analysis  should  provide  a 
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reasonable  range  for  the  maximum  number  of  bridges  that  might  be  attacked  simultaneously. 
In  practice,  results  within  that  range  would  be  produced  using  DAD  and  presented  to 
decision-makers  for  final  action;  the  examples  in  §5  illustrate. 

Notes,  (a)  A  more  detailed  model  might  measure  total  travel  time  per  person  as  above,  but 
would  adjust  for  vehicles  and  the  number  of  persons  per  vehicle.  In  effect,  DAD- Transport 
assumes  pedestrian  traffic  or  one  person  per  vehicle. 

(b)  “Supply  of  travelers”  assumes  a  period  of  time  over  which  all  travel  will  take  place, 
such  as  during  a  peak  morning  commute  period  of  two  hours.  Parameters  cf ,  of ,  and  /3fj 
are  set  accordingly. 

(c)  The  constraints  ADEFw  <  bDEF  and  AATKx  <  bArK  represent  arbitrary  linear  con¬ 
straints  on  defense  plans  and  attack  plans,  respectively.  The  only  such  constraints  used  in 
our  examples  are  (a)  a  cardinality  constraint  on  the  number  of  bridges  defended,  nDEF, 
(b)  a  cardinality  constraint  on  the  number  of  bridges  attacked,  ?rATK,  and  (c)  constraints 
to  reflect  that  fact  that  “nonbridges”  are  invulnerable  to  attack  and  need  not  be  defended. 
Constraints  ADEFw  <  bDEF  and  AATKx  <  bATK  could  reflect  limited  budgets  covering  sev¬ 
eral  categories  (e.g.,  money,  labor  resources,  energy  resources),  logical  conditions  between 
attacks  or  between  defenses,  and  so  on. 

4.  A  Decomposition  Algorithm  to  Solve  DAD 

This  section  develops  a  decomposition  algorithm  to  solve  DAD- Transport  and  more  gen¬ 
eral  instances  of  DAD.  We  first  present  additional  detail  on  the  operator’s  model  for  this 
problem,  and  describe  several  subsidiary  formulations  used  in  the  algorithm. 

4.1.  The  Operator’s  Problem 

Given  a  fixed  infrastructure-defense  plan  w  G  W,  and  a  fixed  attack  plan  x  G  X,  the  following 
model  defines  the  operator’s  problem: 

DAD(w, x, •):  zh(w,x)=  min  /(x,y). 

—  yev(w) 

The  notation  required  to  describe  the  full  DAD  model  in  Equations  (l)-(5)  makes  the 
operator’s  problem  appear  more  complicated  than  it  is.  Ignoring  the  caveat  on  penalties  used 
to  discourage  use  of  destroyed  bridges,  DAD(w,x,-)  is  a  simple  multicommodity  network- 
flow  model  with  a  quadratic  objective  function.  Each  commodity  is  defined  in  terms  of  the 
origin  of  a  group  of  travelers,  but  could  be  based  on  destination,  or  a  commodity  could  be 
defined  for  each  origin-destination  (O-D)  pair.  The  objective  function  measures  total  travel 
time  over  all  travelers,  over  some  normalizing  interval  of  time,  by  summing  travel  time  on 
each  arc  (■ i,j )  G  A  (through  a  summation  over  (i,j)  G  E).  Because  of  congestion  effects,  total 
travel  time  for  users  of  arc  (i,  j)  depends  quadratically  on  the  total  number  of  travelers  that 
traverse  that  arc,  yfj  =  J^peNVpij- 

Total  travel  time  on  arc  (i,  j)  may  be  expressed  as  yfjg(yfj),  where  <j(  ■ )  is  called  a  “delay 
function.”  Numerous  delay  functions  have  been  used  in  the  literature,  but  simple  polynomial 
functions  are  standard  and  have  been  validated  experimentally  (e.g.,  LeBlanc  et  al.  [48]). 
We  use  a  linear  delay  function  for  computational  simplicity  here,  yielding  a  quadratic  objec¬ 
tive  function;  future  work  will  investigate  the  use  of  using  higher-degree  polynomials  and, 
perhaps,  other  functional  forms. 

The  nonlinear  program  DAD(w,x,  •)  (Beckmann  [6])  derives  from  the  basic  traffic- 
equilibrium  model  (or  traffic  assignment  model)  described  by  Wardrop  [75].  Florian  and 
Nguyen  [32]  provide  one  the  first  validations  of  the  model.  Many  refinements  of  the  basic 
model  have  appeared  since  the  1960s  (e.g.,  Boyce  and  Bar-Gera  [10]),  but  the  basic  model 
is  still  in  use  (Correa  and  Stier-Moses  [24]).  We  note  that  early  traffic-equilibrium  models 
defined  commodities  through  O-D  pairs,  and  formulations  are  still  often  described  in  that 
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manner.  Defining  commodities  by  origin  or  by  destination,  however,  is  clearly  more  efficient 
(Petersen  [60],  Leblanc  et  al.  [48]). 

O-D  demands  are  estimated  by  sampling  actual  traffic  and  statistical  estimation.  The  com¬ 
plete  estimation  step  is  often  referred  to  as  “trip  generation”;  for  example,  see  Van  Zuylen 
and  Willumsen  [72],  and  Mannering  et  al.  [52,  pp.  293-298].  As  described  by  Wardrop  [75], 
each  traveler  is  assumed  to  follow  an  O-D  path  such  that  total  travel  time  for  all  travelers 
is  minimized:  this  maximizes  “societal  good.”  Wardrop’s  equilibrium  conditions  imply  that 
total  travel  time  on  a  link  is  a  convex  increasing  function  of  traffic  density;  empirical  work 
verifies  the  validity  of  this  functional  form.  A  more  refined  model  might  replace  travel  time 
with  a  “generalized  cost  of  travel,”  which  could  include  travel  time,  tolls,  out-of- vehicle  time, 
and  other  factors;  see  Abrahamsson  and  Lundqvist  [1]  and  Boyce  and  Bar-Gera  [10]. 

4.2.  The  Attacker-Defender  Subproblem 

The  overall  decomposition  algorithm  for  DAD  will  solve  a  sequence  of  attacker-defender 
subproblems  that  result  by  fixing  w  £  W: 


DAD(w,v):  Zad(w)  =max  min  /(x, y). 

—  xex  ygr(w) 

An  optimal  or  near-optimal  solution  to  this  problem  is  denoted  x*(w). 

DAD(w,-,-)  is  a  “simple”  attacker-defender  model,  which  we  solve  through  Benders 
decomposition.  This  solution  method  is  standard  for  such  problems,  so  we  omit  a  description 
(see  Cormican  et  al.  [23],  Israeli  and  Wood  [45]  for  examples).  We  find  it  computationally 
advantageous  to  specify  a  nonzero  optimality  gap  in  the  solution  of  DAD(w,-,-),  however, 
and  this  complicates  the  decomposition  algorithm  for  DAD.  Zakeri  et  al.  [80]  describe 
and  overcome  a  similar  complication,  which  arises  when  solving  a  linear  program  through 
Benders  decomposition,  and  not  solving  subproblems  to  optimality.  Section  4.4  will  explain 
how  to  handle  the  DAD  version  of  this  issue,  and  we  make  several  definitions  in  advance 
for  that  explanation: 

£ad  user-specified,  nonnegative,  relative  optimality  gap  for  the  decomposition  algo¬ 
rithm  that  solves  DAD(w,  •,  •), 

~ad  )  ~AD  lower  and  upper  bounds  provided  at  termination  of  the  decomposition  algorithm 
that  solves  DAD(w,  •);  these  values  must  satisfy  <  £adZad- 

4.3.  A  Detailed  Decomposition  Algorithm 

We  develop  a  decomposition  algorithm  here  to  solve  DAD- Transport  and  similar  problems. 
Some  additional  definitions  follow: 

X  the  set  of  all  feasible  attack  plans  viewed  as  an  enumerated  set;  and 

traffic  volume  originating  from  node  p  that  traverses  arc  (i,j)  £  A  under  defense 
option  d,  in  response  to  attack  plan  xfc  £  X  [persons] . 

Letting  yk  denote  the  vector  form  of  y'A ,  we  may  now  reformulate  DAD- Transport  as 

z*  =  min  max  min  /(xfc,  yk).  (6) 

w eW  Sk£x  yk€Y (w) 

Note  that  yk  £  Y (w)  implies  a  separate  set  of  (identical)  constraints  for  each  flow 
vector  yk. 

Because  the  defender  in  formulation  (6)  can  now  choose  each  set  of  flows  yk  independently 
in  anticipation  of  each  feasible  attack  plan,  we  can  exchange  the  innermost  “min”  and  “max” 
to  obtain  a  conceptually  simpler  min-max  problem: 

z*=  min  max /(xfc,yfc).  (7) 

w6ff1ytey(w)  Skex 
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Naturally,  we  cannot  hope  to  solve  realistic  instances  of  (7)  by  enumerating  all  attack 
plans,  and  creating  a  separate  traffic-flow  problem  for  each.  But,  this  formulation  leads  to 
a  decomposition  algorithm  that  generates  attack  plans  on  an  as-needed  basis,  and  we  hope 
to  identify  an  £-optimal  solution  long  before  enumerating  all  attack  plans.  Given  a  set  of  K 
feasible  attack  plans  XK  =  {x1, . . .  ,  xA},  we  formulate  a  “relaxed  DAD  master  problem” 
for  this  decomposition  algorithm  as  follows: 

DAD-MP(Xa): 


z*(XK)=  min  z 

(8) 

w£W,  y1  ,...,yK 

s.t.  z>/(xfc,yfe)  Vxfe  £  XK, 

(9) 

yk  £Y (w)  for  k  =  1, . . .  ,K. 

(10) 

This  model  is  a  quadratically  constrained  integer  program  that  may  not  be  solved  exactly, 
and  the  following  parameter  and  output  values  must  therefore  be  defined: 

£mp  user-specified,  nonnegative,  relative  optimality  gap  for  the  algorithm  that  solves 
DAD-MP(Xff);  and 

2mp>  4Pp  lower  and  upper  bounds  provide  at  termination  of  the  algorithm  that  solves 
DAD-MP(Tk);  these  values  must  satisfy  zjjp  —  z\fp  <  £mp^mp- 
We  can  now  state  a  full  decomposition  algorithm  for  solving  DAD. 

Algorithm  DAD-Decomp 

Input :  Full  DAD  problem  data  and  optimality  tolerances  e,  £mp>  £ad  >  0  for  the 
overall  decomposition,  the  DAD  master  problem,  and  the  AD 
subproblem,  respectively. 

/*£  >  £mp  is  assumed.*/ 

Output :  £-optimal  defense  plan  w*  and  corresponding  attack  plan  x*; 

1.  LB  < - oo;  UB  <—  oo;  K  <—  1; 

2.  for  (all  (i,j)  £  E){wf?K  <-  1;  wff  <-  0,  d  ^  d0 ;  };  w*  i-  wA; 

/*That  is,  choose  “no  defense”  as  the  initial  defense  plan  and  as 

the  incumbent  solution.*/ 

3.  Subproblem :  Solve  DAD(wa,-,-)  to  determine  attack  plan  xK  given  defense 
plan  wA  such  that  —  -  ad  —  ^ad -  ad  : 

/*We  assume  ^d^ad  >  0*/ 

4.  if  (zV^  <  UBT{UBV  2up  ;  w*  <-  w^;  x*  <-  xA;  } 

5.  if  (UB  -  LB  <  eLB)  go  to  End; 

6.  if  xA  repeats  any  prior  attack,  i.e.,  xK  £  XK ,  temporarily  add  one 
“solution-elimination  constraint”  to  DAD(wa,  •)  for  each  xfc  £  XK ,  and 
re-solve  for  a  new  xK ; 

/*Solution-elimination  constraints  are  described  below.  For  simplicity,  the  algorithm 
ignores  the  possibility  that  problem  in  Step  7  could  be  infeasible.*/ 

7. W**-1  U{x4 

8.  Master  Problem:  Solve  DAD-MP  (XK)  to  determine  defense  plan  wA+1 
such  that  2^p  ^  ~mp  <  £mp-mp! 

/*We  assume  -  0*/ 

9.  if  (4°  >LB)  LB  <— 4°; 

10.  if  (UB  -  LB  <  eLB)  go  to  End; 

11.  K  ■£-  K  +  1;  go  to  Subproblem; 

12.  End:  print  (“£-optimal  defense  plan  and  corresponding  attack  plan  are,”  w*,  x*). 

If  the  AD  subproblems  are  not  solved  to  optimality  in  each  step,  the  algorithm  can  repeat 
an  attack  plan.  This  can  lead  to  cycling,  because  the  bounds  will  not  change,  the  master 
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problem’s  feasible  region  will  not  change,  no  new  defense-plan  solutions  need  be  generated, 
and  no  new  attack  plan  need  be  generated  in  response.  There  are  a  few  ways  to  handle  this 
difficulty,  the  simplest  of  which  is  to  record  every  subproblem  solution  (i.e. ,  attack  plan) 
observed,  and,  if  one  repeats,  reduce  the  tolerances  on  the  respective  problem(s)  until  a  new 
solution  is  found.  This  may  cause  run  times  to  increase  dramatically,  however. 

Another  approach,  the  one  we  take,  forces  the  generation  of  a  new  attack  plan  (the 
algorithm  assumes  one  exists)  by  adding  a  set  of  K  “solution-elimination  constraints”  (SECs) 
whenever  an  attack  plan  xA  repeats: 

Y  xij>  l  VxfceF.  (li) 

The  SEC  in  (11)  based  on  a  specific  attack  plan  xfc  makes  that  plan  infeasible  in  the 
master  problem,  along  with  any  “dominated”  plans  x  <  xfe.  Thus,  no  solution  xfc  £  XK 
can  be  regenerated  at  Step  7  of  the  algorithm.  (Note  that  no  bounds  are  updated  in  the 
algorithm  when  using  SECs  because  the  validity  of  those  bounds  cannot  be  guaranteed.)  The 
SEC  used  here,  which  is  a  special  case  of  a  “super- valid  inequality”  (Israeli  and  Wood  [45]), 
requires  that  any  attack  plan  that  targets  multiple  components  dominate  all  plans  that 
target  a  strict  subset  of  those  components  (i.e.,  the  attacker  will  always  prefer  to  target  more 
components  of  the  system  than  fewer).  If  no  such  dominance  relationship  exists,  constraints 
that  enforce  a  lower  bound  of  1  on  the  Hamming  distance  between  a  new  solution  and  each 
xfc  £  XK  could  replace  (11);  see  Brown  and  Dell  [13].  We  note  that  adding  SECs  for  w  in 
the  master  problem  provides  a  third  approach  to  handling  nonzero  optimality  gaps  in  the 
decomposition  algorithm,  but  we  have  not  yet  explored  that  possibility. 

5.  A  Computational  Example:  The  Seven  Bridges  of  Konigsberg 

In  1758,  Leonhard  Euler  published  a  paper  using  as  a  motivating  example  the  propensity  of 
city  residents  to  traverse  the  seven  bridges  of  Konigsberg  (Euler  [31]);  see  Figure  1(a).  Using 
the  graph  shown  in  Figure  1(b),  Euler  proved  that  no  walking  path  existed  through  the 
city  that  crossed  each  bridge  exactly  once.  We  adapt  this  well-known  example  from  seminal 
graph  theory  to  more  modern  concerns. 

City  officials  are  concerned  about  the  disruptions  to  city  traffic,  and  thereby  to  the  local 
economy,  that  would  result  from  the  destruction  of  one  or  more  bridges  by  terrorists.  Officials 


Figure  1 .  The  seven  bridges  of  Konigsberg. 


(a)  (b)  (c) 


Notes,  (a)  A  drawing  of  the  seven  bridges  (Kraitchik  [47,  pp.  209—211]).  (b)  In  Euler’s  graph  representation, 
each  vertex  is  a  land  mass  and  each  undirected  edge  is  a  bridge,  (c)  For  illustrative  purposes,  we  adopt 
a  network  representation  that  reflects  the  bridges  (heavy  lines),  normal  road  segments  (horizontal  lines  at 
top  and  bottom)  and  artificial,  “intra-island  edges”  represented  by  the  graph  cliques  on  islands  A  and  D. 
Bridges  are  subject  to  attack  and  congestion;  road  segments  are  subject  to  congestion  but  not  attack;  and 
the  intra-island  edges  are  subject  to  neither  attack  nor  congestion,  but  do  require  a  fixed  amount  of  time  to 
traverse.  For  an  indication  of  the  scale  here,  note  that  the  small  central  island  is  about  one  half  kilometer 
in  its  longest  dimension. 
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Table  1.  Node  data  for  DAD  modeling  of  the  Konigsberg  transportation 
network. 


Nodes  p  £  N 

Supply  bpp  (persons) 

Demand  —bpi  (persons) 

Aa,  Ab,  Ac,  Ae, 

200 

Proportional  to  supply: 

Af,  De,  Df,  Dg 

-bpj  =  bppbu  /  bjj  \/p,i£N 

'  i^v 

Ba,  Bf,  Bg 

800 

Cc,  Cd,  Cg 

1,200 

Notes.  The  data  here  apply  to  the  DAD- Transport  model  of  the  network  shown  in 
Figure  1(c).  (In  1700,  Konigsberg  had  a  population  of  about  40,000,  so  these  numbers 
are  plausible.) 


also  want  to  know  if  worst-case  disruptions  could  be  reduced,  i.e.,  resilience  enhanced,  by 
defending  bridges  from  attack  or  making  other  infrastructure  improvements.  We  measure 
functionality  of  the  transportation  network  in  terms  of  the  average  travel  time  that  a  citizen 
would  experience  in  moving  about  the  city  on  a  busy  morning. 

The  data  requirements  for  this  problem  are  modest.  Figure  1(c)  shows  an  abstract  repre¬ 
sentation  of  the  main  routes  in  the  city.  Table  1  provides  data  on  the  nodes  for  this  problem; 
Table  2  provides  basic  edge  and  arc  data  in  the  absence  of  attack;  the  appendix  presents 
detailed  arc  data  for  all  examples.  The  DAD  examples  presented  here  are  small  enough 
that  they  could  be  solved  by  total  enumeration,  that  is,  by  solving  the  nonlinear  program 
DAD  (w,  x,  •)  for  each  feasible  combination  of  w  and  x.  The  decomposition  applies  broadly, 
however,  and  we  trust  that  the  examples  serve  well  to  illustrate  its  use. 

We  must  specify  X  and  W  for  this  problem,  also.  Capabilities  analysis  indicates  that 
bridges  are  key  targets,  and  that  at  most  three  could  be  attacked  at  one  time.  Thus, 


A  =  i  xe  {0,1}|E| 


T  Xij  <  nATK,Xij  =  0  V(i,  j)  €  E\Eb  \  for  nATK  =  0,1,2  or  3. 

(*,i)esB  J 


Planners  believe  that  the  city  budget  will  allow  for  the  defense  of  up  to  four  bridges, 
and  thus 


ibE  we{o,i}|E| 


E 


<4=nDEF, 


E  <•  =  !  V(t,j)ei5, 


deDi . 


Wa 


=  1  V(i,  j)  G  E\Eb  >  for  nr  =0,1, 2, 3  or  4. 


Table  2.  Edge  and  arc  data  for  DAD  modeling  of  the  Konigsberg  transportation 
network:  nominal  system  parameters  (i.e.,  assuming  w  =  0,  x  =  0  and  d  =  do). 

Edge  type  Edges  (i,j)  if;,  if  a% ,  ,  $ 

Bridge  (Aa,  Ba),  (Ab,Bb),  (Ac,Cc),  (Ad,  Cd),  1  5  0.020 

(Ae,  De),  (Bf,Df),  (Cg,Dg) 

Road  segment  (Ba, Bb),  (Bb.Bf),  (Cc,Cd),  (Cd,Cg)  1  15  0.005 

Intra-island  All  having  form  (Ax,  Ay)  or  (Dx,  Dy)  1  5  0.000 

Notes.  The  data  in  this  table  covers  all  edges  in  the  network  shown  in  Figure  1(c),  and  all  implied 
antiparallel  arcs.  All  edge  lengths  are  1  kilometer  for  simplicity.  The  intra-island  edges  (i,j)  rep¬ 
resent  a  complex  network  which  is  assumed  free  of  congestion  delays,  i.e.,  (3 f9  =  0.  However, 
traversing  any  of  these  edges  does  incur  five  minutes  of  travel  time,  i.e.,  =  5.  (Note  that  bridge 

edges  can  also  be  designated  by  single  letters,  i.e.,  a,  b, . . . ,  g.) 
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Figure  2.  Nominal,  optimal  operation  of  the  Konigsberg  transportation  network  bridges, 
(a)  (b) 


Notes,  (a)  Optimal  number  of  travelers  using  each  traffic  lane,  on  each  road  and  bridge,  under  nominal 
conditions.  (The  double  lines  here  represent  the  two  arcs  for  each  edge.)  The  average  travel  time  is  37.6  min¬ 
utes.  (b)  Optimal  routes  followed  by  the  1,200  travelers  originating  at  node  Cc.  For  clarity,  we  omit  arcs 
without  flow. 


In  the  absence  of  attack,  travelers  may  use  any  of  the  bridges  to  convey  traffic.  The 
minimum-time  solution  incurs  an  average  travel  time  of  37.6  minutes;  Figure  2  depicts  the 
optimal  solution.  We  cannot  easily  illustrate  the  individual  routes  followed  by  each  of  the 
7,600  travelers,  but  Figure  2(a)  provides  a  sense  of  congestion.  In  addition,  for  travelers 
originating  at  one  selected  node,  Cc,  Figure  2(b)  shows  the  total  number  of  travelers  on 
each  road  and  bridge. 

5.1.  Konigsberg’s  Bridges  Attacked  with  No  Defenses 

It  is  worthwhile  investigating,  by  solving  AD  for  various  values  of  nATK,  how  attacks  might 
affect  Konigsberg’s  traffic  flow  if  no  bridges  are  defended.  It  turns  out  that  the  most  disrup¬ 
tive  single-bridge  attack  (nATK  =  1)  is  on  bridge  c,  but  this  results  in  an  increase  in  average 
travel  time  of  only  9.2  minutes,  about  24%;  see  Figure  3(a).  If  capabilities  analysis  shows 
that  terrorists  could  destroy  only  a  single  bridge,  we  might  conclude  that  the  city  is  already 
“well  defended.”  The  optimal  two-bridge  attack  targets  bridges  c  and  d  (Figure  3(b)),  and 
average  travel  time  increases  by  44.5  minutes.  Perhaps  officials  should  become  worried  if  a 
two-bridge  attack  appears  possible. 


Notes,  (a)  The  worst-case  one-bridge  attack  destroys  c,  resulting  in  an  average  travel  time  of  46.8  min¬ 
utes.  (b)  The  worst-case  two-bridge  attack  destroys  bridges  c  and  d,  resulting  in  an  average  travel  time  of 
82.1  minutes.  In  each  case,  the  figures  indicate  the  optimal  rerouted  flows  in  response  to  the  attacks. 
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Figure  4.  Traffic  flow  in  Konigsberg  resulting  from  all  possible  one-,  two-,  and  three-bridge  attacks 
on  an  undefended  system. 


(a) 
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Notes,  (a)  The  plot  depicts  average  travel  time  resulting  from  each  attack  plan  having  nATK  =  1,2,  or  3; 
results  are  ranked,  from  most  to  least  disruptive  for  each  value  of  nATK.  There  are  three  three-bridge  attacks 
that  disconnect  the  network,  so  the  resulting  average  travel  time,  denoted  “140*,”  could  be  arbitrarily 
high.  The  inset  expands  results  for  single-bridge  attacks  and  shows  the  actual  bridge  involved  in  each, 
(b)  Considerable  variation  appears  in  the  disruption  caused  by  attacks  involving  one,  two,  or  three  bridges. 
In  particular,  the  most  disruptive  two-bridge  and  three-bridge  attacks  result  in  substantially  more  travel 
delay  than  a  random  attack  plan  having  the  same  number  of  bridges. 


Figure  4  shows,  given  no  defenses  and  for  different  values  of  nATK,  rank-ordered  lists  of 
optimal  attack  plans  and  their  outcomes.  We  observe  several  features.  First,  for  any  value 
of  nATK,  a  considerable  difference  can  appear  in  the  disruption  caused  by  an  optimal  attack 
plan  versus  a  plan  chosen  randomly.  For  nATK  =  1,  the  loss  of  bridge  c  increases  the  average 
travel  time  by  9.2  minutes,  while  the  expected  increase  in  average  travel  time  is  7.1  minutes 
for  a  “random  attack,”  that  is,  if  a  “dumb”  attacker  were  to  choose  to  attack  each  bridge 
with  probability  1/7.  For  nATK  =  2,  the  loss  of  bridges  c  and  d  increases  the  average  travel 
time  by  44.5  minutes,  while  a  random  attack  increases  expected  average  travel  time  by  only 
18.9  minutes.  When  nATK  =  3,  three  attack  plans,  namely  [a,b,f],  [c,d,g],  and  [e,f,g],  can 
disconnect  the  network,  and  average  travel  time  can  become  arbitrarily  long.  In  contrast,  a 
random  three-bridge  attack  among  the  other  combinations  results  in  an  expected  increase 
to  average  travel  time  of  (only)  36.0  minutes. 

In  this  example,  the  optimal  one-bridge  attack  [c],  optimal  two-bridge  attack  [c,d],  and 
optimal  three-bridge  attack  [c,d,f]  define  monotonic  attack  plans,  i.e.,  xj  <  x?;  <  Xg,  where 
the  subscript  corresponds  to  nATK.  This  is  good  news  for  an  attacker  of  Konigsberg,  who 
can  follow  a  simple  prioritized  list  of  attacks:  c  then  d  then  f.  If  he  is  stopped  (for  example, 
caught  or  killed)  after  attacking  n  <  3  bridges,  he  has  been  maximally  disruptive  given 
that  ?iATK  =  n.  For  larger  infrastructure  systems,  however,  we  typically  find  that  simple 
prioritized  lists  yield  a  sequence  of  suboptimal  attack  plans. 

Results  in  Table  3  also  indicate  the  dubiousness  of  basing  infrastructure-defense  analysis 
on  a  single,  heuristically  chosen  attack  plan.  For  instance,  a  reasonable  greedy  heuristic 
would  first  attack  the  link  with  the  largest  nominal  traveler  flow,  but  such  a  choice  is  only 
the  third  best  for  the  attacker.  See  Smith  et  al.  [69]  for  a  related  discussion. 

5.2.  Optimal  Defenses  for  Konigsberg 

We  conclude  from  the  previous  section  that  (a)  a  small  number  of  attacks  can  cause  substan¬ 
tial  disruption  to  travel  in  Konigsberg,  (b)  a  defensive  model  that  assumes  random  attacks 
could  leave  the  city  open  for  a  highly  disruptive  optimal  attack  plan,  and  (c)  a  defensive 
model  that  plans  against  a  heuristically  derived  attack  plan  is  also  open  to  making  a  seri¬ 
ous  error.  So,  solving  DAD  near-optimally  could  give  some  important  information  to  city 
officials,  and  any  solution  needs  to  be  based  on,  or  at  least  imply,  near-optimal  solutions 
ofAD(w). 
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Table  3.  Heuristically  chosen  and  optimal  one-bridge  attacks. 


Bridge 

Total  baseline 
traffic  (persons) 

Rank  in 
baseline  traffic 

Increase  in  average  travel 
time  if  destroyed  (minutes) 

Rank  in 
disruption 

a 

1,190 

5 

6.9 

4 

b 

1,444 

2 

6.4 

6 

c 

1,407 

3 

9.2 

1 

d 

1,687 

1 

8.3 

3 

e 

661 

7 

3.1 

7 

f 

1,070 

6 

6.9 

5 

g 

1,205 

4 

8.9 

2 

Notes.  The  bridge  that  carries  the  most  traffic  is  not  necessarily  the  bridge  that,  if  lost,  results  in  the 
greatest  disruption  (increase  in  average  travel  time). 


Assume  now  that  analysts  believe  that  the  worst  possible  attack  on  the  Konigsberg  bridges 
would  destroy  two  or  three  bridges.  City  officials  are  unsure  of  their  budget  for  bridge 
defenses,  and  would  like  to  know  the  optimal  set  of  bridges  to  defend  for  each  “budget  level” 
nDEF  £  {1, . . .  ,4}.  Solution  of  DAD- Transport  will  provide  the  answers. 

We  use  GAMS  (GAMS  [35])  to  formulate  all  models  in  the  decomposition  for  DAD- 
Transport  and  solve  them  using  CPLEX  12.02  (IBM  [44])  on  a  Lenovo  T510  laptop  com¬ 
puter.  Master  problems  and  nonlinear  subproblems  are  solved  by  specifying  the  quadrat- 
ically  constrained  programming  option  in  GAMS  (“QCP  =  CPLEX”),  which  also  handles 
quadratic  objective  functions.  We  run  the  full  decomposition  algorithm  on  the  Konigsberg 
data  using  tolerances  £  =  0.01,  £mp  =  0.01,  and  £ad  =  0.001.  No  individual  problem  requires 
more  than  10  minutes  to  solve  and,  in  total,  results  reported  in  Table  4  require  less  than 
20  minutes  to  produce. 

Table  4  presents  initial  results.  The  table  shows  the  variety  of  optimal  defense  plans  that 
arise  when  multiple  bridges  can  be  defended  and  when  multiple  bridges  may  be  attacked. 
Note  that  the  optimal  defense-plan  vector  is  not  necessarily  monotonic  in  the  number  of 
bridges  defended.  Specifically,  for  neither  nATK  =  2  nor  nATK  =  3  does  an  optimal  one-bridge 


Table  4.  Optimal  bridges  to  defend  in  Konigsberg. 


Number 
of  bridges 
attacked 
nATK 

Number 
of  bridges 
defended 
nDEF 

Bridges 

optimally 

defended 

Bridges 

attacked 

after 

defense 

Minimized 
average 
travel  time 
(minutes) 

Num.  of 

AD  problems 
solved  in  Alg. 
DAD-Decomp 

Num.  of 
AD  problems 
solved  if  using 
enumeration 

2 

1 

c 

a,  b 

75.9 

3 

7 

2 

b,  d 

c,  g 

65.3 

5 

21 

3 

b,  c,  d 

a,  f 

58.9 

7 

35 

4 

b,  c,  f,  g 

a,  d 

55.0 

12 

35 

3 

1 

d* 

a,  b,  f 

00 

3 

7 

2 

c,  f 

a,  b,  g 

103.4 

6 

21 

3 

b,  d,  g 

c,  e,  f 

70.5 

9 

35 

4 

b,  d,  f,  g 

a,  c,  e 

59.2 

12 

35 

Notes.  For  each  number  of  attacks  and  defenses  this  table  presents  an  optimal  defense,  and  a  resulting 
optimal  attack,  determined  using  the  decomposition  algorithm.  For  three  attacks  and  one  defense,  the 
optimal  solution  (defend  bridge  d)  is  arbitrary  (denoted  by  an  asterisk):  if  any  single  bridge  is  defended, 
three  bridges  can  always  be  attacked  so  that  some  travelers  cannot  reach  their  destinations.  In  such  a  case, 
the  resulting  objective-function  value  is  arbitrarily  large. 
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Table  5.  Optimal  bridges  to  defend  and  road  segments  to  upgrade  in  Konigsberg. 


Number 
of  bridges 
attacked 
nATK 

Number 
of  bridges 
defended 
nDEF 

Optimal 
bridges  to 
defend 

Optimal 
road  segments 
to  upgrade 

Bridges 

attacked 

after 

defense 

Minimized 
average 
travel  time 
(minutes) 

Avg.  travel  time 
decrease  beyond 
bridge  defense 
alone  (minutes) 

2 

1 

c 

(Bb,  Bf),  (Cd,  Cg) 

a,  b 

68.5 

7.3 

2 

b,  d 

(Cc,  Cd),  (Cd,  Cg) 

c,  g 

59.0 

6.3 

3 

b,  c,  d 

(Bb, Bf),  (Cd, Cg) 

a,  f 

54.4 

4.6 

4 

a,d,  f,  g 

(Cc,  Cd),  (Cd,  Cg) 

b.  c 

49.3 

5.7 

3 

1 

d* 

(Cc,  Cd),  (Cd,  Cg) 

a,  b,  f 

oo 

— 

2 

c,  f 

(Bb, Bf),  (Cd, Cg) 

a,  b,  g 

96.1 

7.4 

3 

b,  d,  g 

(Cc,  Cd),  (Cd,  Cg) 

a,  c,  f 

64.2 

6.3 

4 

a,  d,  f,  g 

(Cc,  Cd).  (Cd,  Cg) 

b,  c,  e 

52.7 

6.5 

Notes.  Again,  the  asterisk  in  the  first  row  for  three  attacks  indicates  that  the  network  becomes  disconnected. 
With  the  exception  of  the  shaded  rows  involving  4  defenses,  the  optimal  bridge  defenses  and  the  optimal 
attacks  remain  the  same  with  or  without  road-segment  upgrades.  Average  delays  are  reduced  by  between 
7%  and  11%  compared  to  Table  4. 


defense  define  a  subset  of  an  optimal  two-bridge  defense.  Thus,  no  optimal  prioritized  list  of 
defenses  can  be  created.  (Alternate  optimal  solutions  might  make  this  possible,  but  do  not.) 

As  one  would  expect,  solutions  reflect  “diminishing  returns”  as  the  number  of  defended 
bridges  grows.  For  example,  for  both  values  of  nATK,  the  difference  between  defending  two 
bridges  and  defending  three  exceeds  the  difference  between  defending  three  and  four. 


5.3.  Optimal  Defenses  for  Konigsberg:  Extensions  to  New  Construction 

In  addition  to  considering  defenses  on  some  of  the  city’s  bridges,  a  separate  line  item  exists 
in  the  Konigsberg  city  budget  to  upgrade  any  two  of  the  road  segments  (Ba,  Bb),  (Bb,  Bf), 
(Cc,  Cd),  (Cd,  Cg)  for  less  congestion  and  faster  travel.  The  question  is  then:  which  combi¬ 
nation  of  ?rDEF  defended  bridges  and  two  upgraded  road  segments  creates  the  most  resilient 
transportation  system,  given  that  two  or  three  bridges  might  be  attacked?  For  our  purposes, 
an  upgrade  on  a  road  segment  reduces  ctij  =  15  to  oy?  =  10  and  reduces  0i3  =  0.005  to 
0ij  =  0.001.  To  evaluate  these  alternatives,  we  add  an  edge  for  each  candidate  road  improve¬ 
ment  to  the  base  model,  and  add  an  ad-hoc  constraint  limiting  the  number  of  these  new 
defensive  improvements  to  two. 

Algorithm  DAD-Decomp  extends  to  this  new  situation  easily  and  produces  the  results 
shown  in  Table  5  in  about  16  minutes  of  computation  time.  Unfortunately,  those  results  also 
show  that  that  the  city  cannot  substantially  improve  resilience  to  attack  of  its  transportation 
network  by  upgrading  road  segments. 

One  city  planner  therefore  asks  “What  if  we  shift  those  road-upgrade  funds  into  building 
a  new,  invulnerable  bridge  (Ba,  Cc)?”  (Actually,  current-day  Kaliningrad  possesses  such  a 
bridge.)  We  assume  that  the  budget  remains  unspecified  for  protecting  the  other  bridges,  and 
compute  results  analogous  to  Tables  4  and  5  with  an  invulnerable  bridge  (i,j)  =  (Ba,  Cc) 
in  place,  having  parameters  Cij  =  3,  ai:j  =  5,  and  0ij  =  0.01.  (The  new  bridge  will  be  three 
times  longer  than  the  other  bridges,  but  subject  to  less  congestion;  compare  to  values  in 
Table  3.)  This  requires  adding  just  one  edge  to  the  base  case  to  represent  the  new  bridge. 
The  results  in  Table  6,  computed  in  less  than  four  minutes,  show  that  the  new  bridge  would 
enhance  resilience  of  the  Konigsberg  road-and-bridge  network  substantially,  and  that  option 
is  much  better  than  upgrading  any  two  road  segments. 
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Table  6.  Optimal  bridges  to  defend  in  Konigsberg  given  that  an  invulnerable  bridge  (Ba,  Cc)  is 
built,  and  no  other  new  construction  is  possible. 


Number  Number  Optimal  Bridges  Minimized  Avg.  travel  time 

of  bridges  of  bridges  bridges  attacked  average  travel  decrease  beyond  bridge 

attacked  uatk  defended  nDEF  to  defend  after  defense  time  (minutes)  defense  alone  (minutes) 


2 

1 

d 

e,g 

53.5 

22.3 

2 

d,g 

b,f 

52.2 

13.1 

3 

d,f,g 

a,  b 

48.8 

10.2 

4 

b,  d,  f ,  g 

a,  c 

43.8 

11.2 

3 

1 

g 

a,  b,  f 

75.1 

oo 

2 

f,g 

c,  d,  e 

60.5 

43.0 

3 

b,  d,  e 

c,f,g 

53.3 

17.3 

4 

b,d,f,g 

a,  c,  e 

46.1 

13.1 

Notes.  Note  the  much-reduced  travel  times  compared  to  Tables  4  and  5.  With  the  new  bridge,  a  one-bridge 
defense  also  suffices  to  prevent  a  three-bridge  attack  from  disconnecting  the  network.  The  shaded  rows 
identify  optimal  defense  and  attack  plans  that  differ  from  solutions  obtained  without  the  new-bridge  option. 


6.  Conclusions  and  Areas  for  Future  Research 

This  paper  has  demonstrated  how  a  three-stage,  sequential  game  provides  an  appropriate 
paradigm  for  planning  budget-limited  defenses  and/or  new  construction  that  will  maximize 
the  resilience  of  a  critical  infrastructure  system  subject  to  attack  by  an  intelligent  adversary. 
A  defender-attacker-defender  model  (DAD)  represents  the  following:  (1)  a  defender  makes 
budget-limited  investments  to  improve  an  infrastructure  system;  (2)  an  attacker  sees  those 
investments  and  attacks  the  system  so  as  to  maximize  damage;  and  (3)  damage  is  measured 
in  terms  of  the  cost  (or  increased  cost,  decreased  value,  etc.)  that  the  defender- as- operator, 
or  simply  operator,  incurs  when  operating  the  system  optimally.  Cost  is  evaluated  by  solving 
an  operator’s  model  which,  rather  than  using  untested  surrogate  measures  of  operational 
effectiveness,  reflects  real  measures  such  as  travel  delay,  unserved  demand,  throughput,  etc. 
Operations  of  an  electric  power  grid,  for  instance,  should  be  modeled  using  an  industry- 
standard  power-flow  model,  and  road  congestion  should  be  measured  using  an  industry- 
standard  traffic-flow  model  (at  least  until  the  usefulness  of  simpler  surrogate  models  is 
established) .  Tests  using  a  standard  traffic-equilibrium  model  show  how  no  actual  operator 
of  the  system  may  be  necessary,  as  this  model  represents  the  actions  of  delay-minimizing 
travelers. 

The  paper  has  also  developed  a  general  decomposition  algorithm  for  solving  DAD  models. 
We  solve  model  instances  with  a  relative  optimality  tolerance  of  1%  (i.e.,  £  =  0.01)  to  enable 
interested  researchers  to  reproduce  our  results.  Even  though  our  algorithm’s  master  problem 
is  an  integer  nonlinear  programming  problem,  this  tight  tolerance  leads  to  scenario  solution 
times  of  only  a  few  seconds  to  a  few  minutes. 

The  attacks  envisaged  in  this  paper  are  primarily  physical,  but  communications  net¬ 
works  like  the  Internet  are  subject  to  “cyber-attacks.”  Defense  against  cyber-attacks  may 
be  amenable  to  study  via  DAD,  and  this  area  needs  investigation.  We  have  investigated 
single  infrastructure  systems,  yet  attacks  on  one  system  may  affect  another;  for  example,  an 
electric  power  line  carried  by  a  bridge  may  be  lost  if  the  bridge  is  attacked,  and  the  resulting 
power  outage  may  increase  traffic  delays  through  a  loss  of  traffic  signals.  This  topic  certainly 
warrants  study,  also. 

Appendix 

This  appendix  presents  the  arc  data  which,  along  with  the  node  data  in  §3,  suffices  to  reproduce 
all  results  in  this  paper.  See  §2.1  for  definitions. 
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Table  A.l.  Base-case  arc  data  for  undefended  roads  and  bridges  of  Konigsberg. 


Arc  tail  i 

Arc  head  j 

rdo  ndo 
ij  "ij 

ad9 

A? 

Pi! 

Arc  tail  i 

Arc  head  j 

rd0 

ij 

qd9 

ad9 

*3 

P% 

Aa 

Ab 

1  0 

5 

0 

Ab 

Aa 

l 

0 

5 

0 

Aa 

Ac 

1  0 

5 

0 

Ac 

Aa 

l 

0 

5 

0 

Aa 

Ad 

1  0 

5 

0 

Ad 

Aa 

l 

0 

5 

0 

Aa 

Ae 

1  0 

5 

0 

Ae 

Aa 

l 

0 

5 

0 

Ab 

Ac 

1  0 

5 

0 

Ac 

Ab 

l 

0 

5 

0 

Ab 

Ad 

1  0 

5 

0 

Ad 

Ab 

l 

0 

5 

0 

Ab 

Ae 

1  0 

5 

0 

Ae 

Ab 

l 

0 

5 

0 

Ac 

Ad 

1  0 

5 

0 

Ad 

Ac 

l 

0 

5 

0 

Ac 

Ae 

1  0 

5 

0 

Ae 

Ac 

l 

0 

5 

0 

Ad 

Ae 

1  0 

5 

0 

Ae 

Ad 

l 

0 

5 

0 

Aa 

Ba 

1  1,000 

5 

0.020 

Ba 

Aa 

l 

1,000 

5 

0.020 

Ab 

Bb 

1  1,000 

5 

0.020 

Bb 

Ab 

l 

1,000 

5 

0.020 

Ac 

Cc 

1  1,000 

5 

0.020 

Cc 

Ac 

l 

1,000 

5 

0.020 

Ad 

Cd 

1  1,000 

5 

0.020 

Cd 

Ad 

l 

1,000 

5 

0.020 

Ae 

De 

1  1,000 

5 

0.020 

De 

Ae 

l 

1,000 

5 

0.020 

Ba 

Bb 

1  0 

15 

0.005 

Bb 

Ba 

l 

0 

15 

0.005 

Bb 

Bf 

1  0 

15 

0.005 

Bf 

Bb 

l 

0 

15 

0.005 

Bf 

Df 

1  1,000 

5 

0.020 

Df 

Bf 

l 

1,000 

5 

0.020 

Cc 

Cd 

1  0 

15 

0.005 

Cd 

Cc 

l 

0 

15 

0.005 

Cd 

Cg 

1  0 

15 

0.005 

Cg 

Cd 

l 

0 

15 

0.005 

Cg 

Dg 

1  1,000 

5 

0.020 

Dg 

Cg 

l 

1,000 

5 

0.020 

De 

Df 

1  0 

15 

0.005 

Df 

De 

l 

0 

15 

0.005 

De 

Dg 

1  0 

15 

0.005 

Dg 

De 

l 

0 

15 

0.005 

Df 

Dg 

1  0 

15 

0.005 

Dg 

Df 

l 

0 

15 

0.005 

Note.  These  data  all  correspond  to  the 

“do- 

nothing” 

defense  option  do. 

Table  A 

.2.  Arc  data 

for  ‘ 

‘hardening”  defenses 

on  Konigsberg  bridges. 

Arc  tail  i 

Arc  head  j 

cdl  adl 

ij  ^3 

d\ 
ry  -  • 
13 

$ 

Arc  tail  % 

Arc  head 

j  < 

-.dl  adl 

'ij  Hij 

adl 

0% 

Aa 

Ba 

1  0 

5 

0.02 

Ba 

Aa 

1  0 

5 

0.02 

Ab 

Bb 

1  0 

5 

0.02 

Bb 

Ab 

1  0 

5 

0.02 

Ac 

Cc 

1  0 

5 

0.02 

Cc 

Ac 

1  0 

5 

0.02 

Ad 

Cd 

1  0 

5 

0.02 

Cd 

Ad 

1  0 

5 

0.02 

Ae 

De 

1  0 

5 

0.02 

De 

Ae 

1  0 

5 

0.02 

Bf 

Df 

1  0 

5 

0.02 

Df 

Bf 

1  0 

5 

0.02 

Cg 

Dg 

1  0 

5 

0.02 

Dg 

Cg 

1  0 

5 

0.02 

Notes.  (See  results  in  Table  4.)  These  data  represent  defense  option  c?i,  which  applies  only  to  bridges, 
initially. 


Table  A. 3.  Arc  data  added  to  base  case  for  upgrading  condition  of  Konigsberg  roads. 


Arc  tail  i 

Arc  head  j 

cdl 

1-3 

di 

di 

OL  ■  ■ 

13 

Ptj 

Arc  tail  i 

Arc  head  j 

cdl 

13 

di 

% 

d\ 

ad 

pi! 

Ba 

Bb 

l 

0 

10 

0.001 

Bb 

Ba 

l 

0 

10 

0.001 

Bb 

Bf 

l 

0 

10 

0.001 

Bf 

Bb 

l 

0 

10 

0.001 

Cc 

Cd 

l 

0 

10 

0.001 

Cd 

Cc 

l 

0 

10 

0.001 

Cd 

Cg 

l 

0 

10 

0.001 

Cg 

Cd 

l 

0 

10 

0.001 

Notes.  (See 

results  in  Table  5.)  These  data  correspond  to  defense  option  d±. 

Table  A. 4. 

Arc  data  for  adding  a  new 

,  invulnerable  bridge  to  Konigsberg. 

Arc  tail  i 

Arc  head  j 

rdo 

ij 

qd° 

ad9 

LXi3 

pi! 

Arc  tail  i 

Arc  head  j 

rdo 

ij 

qd9 

Hi  3 

(Xd9 
u 13 

pi! 

Ba 

Cc 

3 

0 

5 

0.01 

Cc 

Ba 

3 

0 

5 

0.01 

Notes.  (See  results  in  Table  6.)  This  bridge  is  invulnerable  to  attack,  so  only  defense  option  do  applies. 
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